Date
May 13, 2025, 12:07 p.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 19.545316] ================================================================== [ 19.545414] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 19.545499] Read of size 1 at addr fff00000c4065800 by task kunit_try_catch/196 [ 19.545557] [ 19.545604] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250513 #1 PREEMPT [ 19.545706] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.545739] Hardware name: linux,dummy-virt (DT) [ 19.545777] Call trace: [ 19.545817] show_stack+0x20/0x38 (C) [ 19.545882] dump_stack_lvl+0x8c/0xd0 [ 19.545940] print_report+0x118/0x608 [ 19.546011] kasan_report+0xdc/0x128 [ 19.546065] __kasan_check_byte+0x54/0x70 [ 19.546116] ksize+0x30/0x88 [ 19.546167] ksize_uaf+0x168/0x5f8 [ 19.546215] kunit_try_run_case+0x170/0x3f0 [ 19.546270] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.546328] kthread+0x328/0x630 [ 19.546380] ret_from_fork+0x10/0x20 [ 19.546438] [ 19.546514] Allocated by task 196: [ 19.546548] kasan_save_stack+0x3c/0x68 [ 19.546601] kasan_save_track+0x20/0x40 [ 19.546643] kasan_save_alloc_info+0x40/0x58 [ 19.546690] __kasan_kmalloc+0xd4/0xd8 [ 19.546731] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.546778] ksize_uaf+0xb8/0x5f8 [ 19.546817] kunit_try_run_case+0x170/0x3f0 [ 19.546861] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.546908] kthread+0x328/0x630 [ 19.546947] ret_from_fork+0x10/0x20 [ 19.547003] [ 19.547026] Freed by task 196: [ 19.547059] kasan_save_stack+0x3c/0x68 [ 19.547104] kasan_save_track+0x20/0x40 [ 19.547167] kasan_save_free_info+0x4c/0x78 [ 19.547289] __kasan_slab_free+0x6c/0x98 [ 19.547399] kfree+0x214/0x3c8 [ 19.547454] ksize_uaf+0x11c/0x5f8 [ 19.547511] kunit_try_run_case+0x170/0x3f0 [ 19.547553] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.547602] kthread+0x328/0x630 [ 19.547657] ret_from_fork+0x10/0x20 [ 19.547769] [ 19.547795] The buggy address belongs to the object at fff00000c4065800 [ 19.547795] which belongs to the cache kmalloc-128 of size 128 [ 19.547865] The buggy address is located 0 bytes inside of [ 19.547865] freed 128-byte region [fff00000c4065800, fff00000c4065880) [ 19.547932] [ 19.548131] The buggy address belongs to the physical page: [ 19.548170] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104065 [ 19.548232] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.548287] page_type: f5(slab) [ 19.548338] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.548395] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.548439] page dumped because: kasan: bad access detected [ 19.548476] [ 19.548496] Memory state around the buggy address: [ 19.548533] fff00000c4065700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.548583] fff00000c4065780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.548631] >fff00000c4065800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.548672] ^ [ 19.548705] fff00000c4065880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.548779] fff00000c4065900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.548824] ================================================================== [ 19.554056] ================================================================== [ 19.554130] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 19.554196] Read of size 1 at addr fff00000c4065878 by task kunit_try_catch/196 [ 19.554252] [ 19.554290] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250513 #1 PREEMPT [ 19.554384] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.554416] Hardware name: linux,dummy-virt (DT) [ 19.554464] Call trace: [ 19.554494] show_stack+0x20/0x38 (C) [ 19.554551] dump_stack_lvl+0x8c/0xd0 [ 19.554604] print_report+0x118/0x608 [ 19.554688] kasan_report+0xdc/0x128 [ 19.554751] __asan_report_load1_noabort+0x20/0x30 [ 19.554809] ksize_uaf+0x544/0x5f8 [ 19.554855] kunit_try_run_case+0x170/0x3f0 [ 19.554907] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.555042] kthread+0x328/0x630 [ 19.555101] ret_from_fork+0x10/0x20 [ 19.555179] [ 19.555203] Allocated by task 196: [ 19.555234] kasan_save_stack+0x3c/0x68 [ 19.555281] kasan_save_track+0x20/0x40 [ 19.555325] kasan_save_alloc_info+0x40/0x58 [ 19.555369] __kasan_kmalloc+0xd4/0xd8 [ 19.555410] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.555454] ksize_uaf+0xb8/0x5f8 [ 19.555492] kunit_try_run_case+0x170/0x3f0 [ 19.555533] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.555581] kthread+0x328/0x630 [ 19.555619] ret_from_fork+0x10/0x20 [ 19.555660] [ 19.555680] Freed by task 196: [ 19.555711] kasan_save_stack+0x3c/0x68 [ 19.555753] kasan_save_track+0x20/0x40 [ 19.555793] kasan_save_free_info+0x4c/0x78 [ 19.555838] __kasan_slab_free+0x6c/0x98 [ 19.555879] kfree+0x214/0x3c8 [ 19.555916] ksize_uaf+0x11c/0x5f8 [ 19.555954] kunit_try_run_case+0x170/0x3f0 [ 19.556012] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.556062] kthread+0x328/0x630 [ 19.556103] ret_from_fork+0x10/0x20 [ 19.556144] [ 19.556166] The buggy address belongs to the object at fff00000c4065800 [ 19.556166] which belongs to the cache kmalloc-128 of size 128 [ 19.556230] The buggy address is located 120 bytes inside of [ 19.556230] freed 128-byte region [fff00000c4065800, fff00000c4065880) [ 19.556296] [ 19.556322] The buggy address belongs to the physical page: [ 19.556355] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104065 [ 19.556412] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.556463] page_type: f5(slab) [ 19.556547] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.556608] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.556660] page dumped because: kasan: bad access detected [ 19.556733] [ 19.556769] Memory state around the buggy address: [ 19.556806] fff00000c4065700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.556907] fff00000c4065780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.556964] >fff00000c4065800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.557044] ^ [ 19.557103] fff00000c4065880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.557150] fff00000c4065900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.557192] ================================================================== [ 19.549914] ================================================================== [ 19.549994] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 19.550062] Read of size 1 at addr fff00000c4065800 by task kunit_try_catch/196 [ 19.550119] [ 19.550162] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250513 #1 PREEMPT [ 19.550262] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.550316] Hardware name: linux,dummy-virt (DT) [ 19.550389] Call trace: [ 19.550418] show_stack+0x20/0x38 (C) [ 19.550524] dump_stack_lvl+0x8c/0xd0 [ 19.550579] print_report+0x118/0x608 [ 19.550633] kasan_report+0xdc/0x128 [ 19.550685] __asan_report_load1_noabort+0x20/0x30 [ 19.550741] ksize_uaf+0x598/0x5f8 [ 19.550790] kunit_try_run_case+0x170/0x3f0 [ 19.550843] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.550900] kthread+0x328/0x630 [ 19.550956] ret_from_fork+0x10/0x20 [ 19.551026] [ 19.551048] Allocated by task 196: [ 19.551080] kasan_save_stack+0x3c/0x68 [ 19.551129] kasan_save_track+0x20/0x40 [ 19.551171] kasan_save_alloc_info+0x40/0x58 [ 19.551216] __kasan_kmalloc+0xd4/0xd8 [ 19.551257] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.551328] ksize_uaf+0xb8/0x5f8 [ 19.551374] kunit_try_run_case+0x170/0x3f0 [ 19.551424] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.551471] kthread+0x328/0x630 [ 19.551511] ret_from_fork+0x10/0x20 [ 19.551552] [ 19.551574] Freed by task 196: [ 19.551606] kasan_save_stack+0x3c/0x68 [ 19.551646] kasan_save_track+0x20/0x40 [ 19.551687] kasan_save_free_info+0x4c/0x78 [ 19.551732] __kasan_slab_free+0x6c/0x98 [ 19.551773] kfree+0x214/0x3c8 [ 19.551839] ksize_uaf+0x11c/0x5f8 [ 19.551881] kunit_try_run_case+0x170/0x3f0 [ 19.551922] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.552026] kthread+0x328/0x630 [ 19.552074] ret_from_fork+0x10/0x20 [ 19.552114] [ 19.552140] The buggy address belongs to the object at fff00000c4065800 [ 19.552140] which belongs to the cache kmalloc-128 of size 128 [ 19.552204] The buggy address is located 0 bytes inside of [ 19.552204] freed 128-byte region [fff00000c4065800, fff00000c4065880) [ 19.552353] [ 19.552481] The buggy address belongs to the physical page: [ 19.552521] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104065 [ 19.552582] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.552646] page_type: f5(slab) [ 19.552736] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.552797] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.552841] page dumped because: kasan: bad access detected [ 19.552876] [ 19.552897] Memory state around the buggy address: [ 19.552932] fff00000c4065700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.553005] fff00000c4065780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.553057] >fff00000c4065800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.553099] ^ [ 19.553134] fff00000c4065880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.553182] fff00000c4065900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.553225] ==================================================================
[ 11.612140] ================================================================== [ 11.612491] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.612890] Read of size 1 at addr ffff8881026a8b00 by task kunit_try_catch/213 [ 11.613210] [ 11.613326] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250513 #1 PREEMPT(voluntary) [ 11.613373] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.613384] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.613404] Call Trace: [ 11.613425] <TASK> [ 11.613439] dump_stack_lvl+0x73/0xb0 [ 11.613466] print_report+0xd1/0x650 [ 11.613500] ? __virt_addr_valid+0x1db/0x2d0 [ 11.613522] ? ksize_uaf+0x5fe/0x6c0 [ 11.613585] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.613626] ? ksize_uaf+0x5fe/0x6c0 [ 11.613647] kasan_report+0x141/0x180 [ 11.613670] ? ksize_uaf+0x5fe/0x6c0 [ 11.613706] __asan_report_load1_noabort+0x18/0x20 [ 11.613727] ksize_uaf+0x5fe/0x6c0 [ 11.613748] ? __pfx_ksize_uaf+0x10/0x10 [ 11.613769] ? __schedule+0x10cc/0x2b60 [ 11.613791] ? __pfx_read_tsc+0x10/0x10 [ 11.613810] ? ktime_get_ts64+0x86/0x230 [ 11.613843] kunit_try_run_case+0x1a5/0x480 [ 11.613866] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.613887] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.613920] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.613941] ? __kthread_parkme+0x82/0x180 [ 11.613961] ? preempt_count_sub+0x50/0x80 [ 11.613986] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.614009] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.614031] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.614054] kthread+0x337/0x6f0 [ 11.614082] ? trace_preempt_on+0x20/0xc0 [ 11.614105] ? __pfx_kthread+0x10/0x10 [ 11.614126] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.614156] ? calculate_sigpending+0x7b/0xa0 [ 11.614179] ? __pfx_kthread+0x10/0x10 [ 11.614201] ret_from_fork+0x116/0x1d0 [ 11.614218] ? __pfx_kthread+0x10/0x10 [ 11.614239] ret_from_fork_asm+0x1a/0x30 [ 11.614280] </TASK> [ 11.614292] [ 11.621934] Allocated by task 213: [ 11.622069] kasan_save_stack+0x45/0x70 [ 11.622211] kasan_save_track+0x18/0x40 [ 11.622489] kasan_save_alloc_info+0x3b/0x50 [ 11.622717] __kasan_kmalloc+0xb7/0xc0 [ 11.622909] __kmalloc_cache_noprof+0x189/0x420 [ 11.623125] ksize_uaf+0xaa/0x6c0 [ 11.623463] kunit_try_run_case+0x1a5/0x480 [ 11.623781] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.623977] kthread+0x337/0x6f0 [ 11.624175] ret_from_fork+0x116/0x1d0 [ 11.624372] ret_from_fork_asm+0x1a/0x30 [ 11.624622] [ 11.624740] Freed by task 213: [ 11.624893] kasan_save_stack+0x45/0x70 [ 11.625102] kasan_save_track+0x18/0x40 [ 11.625312] kasan_save_free_info+0x3f/0x60 [ 11.625509] __kasan_slab_free+0x56/0x70 [ 11.625712] kfree+0x222/0x3f0 [ 11.625828] ksize_uaf+0x12c/0x6c0 [ 11.625954] kunit_try_run_case+0x1a5/0x480 [ 11.626097] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.626750] kthread+0x337/0x6f0 [ 11.626946] ret_from_fork+0x116/0x1d0 [ 11.627136] ret_from_fork_asm+0x1a/0x30 [ 11.627573] [ 11.627709] The buggy address belongs to the object at ffff8881026a8b00 [ 11.627709] which belongs to the cache kmalloc-128 of size 128 [ 11.628136] The buggy address is located 0 bytes inside of [ 11.628136] freed 128-byte region [ffff8881026a8b00, ffff8881026a8b80) [ 11.628553] [ 11.628669] The buggy address belongs to the physical page: [ 11.628944] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a8 [ 11.629389] flags: 0x200000000000000(node=0|zone=2) [ 11.629719] page_type: f5(slab) [ 11.629917] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.630180] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.630456] page dumped because: kasan: bad access detected [ 11.630746] [ 11.630858] Memory state around the buggy address: [ 11.631288] ffff8881026a8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.631871] ffff8881026a8a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.632147] >ffff8881026a8b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.632545] ^ [ 11.632807] ffff8881026a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.633107] ffff8881026a8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.633444] ================================================================== [ 11.588474] ================================================================== [ 11.589179] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.589607] Read of size 1 at addr ffff8881026a8b00 by task kunit_try_catch/213 [ 11.590045] [ 11.590198] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250513 #1 PREEMPT(voluntary) [ 11.590247] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.590259] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.590278] Call Trace: [ 11.590290] <TASK> [ 11.590306] dump_stack_lvl+0x73/0xb0 [ 11.590347] print_report+0xd1/0x650 [ 11.590369] ? __virt_addr_valid+0x1db/0x2d0 [ 11.590394] ? ksize_uaf+0x19d/0x6c0 [ 11.590425] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.590448] ? ksize_uaf+0x19d/0x6c0 [ 11.590477] kasan_report+0x141/0x180 [ 11.590499] ? ksize_uaf+0x19d/0x6c0 [ 11.590523] ? ksize_uaf+0x19d/0x6c0 [ 11.590547] __kasan_check_byte+0x3d/0x50 [ 11.590569] ksize+0x20/0x60 [ 11.590590] ksize_uaf+0x19d/0x6c0 [ 11.590611] ? __pfx_ksize_uaf+0x10/0x10 [ 11.590642] ? __schedule+0x10cc/0x2b60 [ 11.590664] ? __pfx_read_tsc+0x10/0x10 [ 11.590685] ? ktime_get_ts64+0x86/0x230 [ 11.590719] kunit_try_run_case+0x1a5/0x480 [ 11.590744] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.590765] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.590798] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.590820] ? __kthread_parkme+0x82/0x180 [ 11.590840] ? preempt_count_sub+0x50/0x80 [ 11.590865] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.590888] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.590910] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.590942] kthread+0x337/0x6f0 [ 11.590961] ? trace_preempt_on+0x20/0xc0 [ 11.590985] ? __pfx_kthread+0x10/0x10 [ 11.591016] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.591037] ? calculate_sigpending+0x7b/0xa0 [ 11.591061] ? __pfx_kthread+0x10/0x10 [ 11.591082] ret_from_fork+0x116/0x1d0 [ 11.591100] ? __pfx_kthread+0x10/0x10 [ 11.591120] ret_from_fork_asm+0x1a/0x30 [ 11.591152] </TASK> [ 11.591163] [ 11.599273] Allocated by task 213: [ 11.599404] kasan_save_stack+0x45/0x70 [ 11.599548] kasan_save_track+0x18/0x40 [ 11.599812] kasan_save_alloc_info+0x3b/0x50 [ 11.600030] __kasan_kmalloc+0xb7/0xc0 [ 11.600242] __kmalloc_cache_noprof+0x189/0x420 [ 11.600439] ksize_uaf+0xaa/0x6c0 [ 11.600562] kunit_try_run_case+0x1a5/0x480 [ 11.600719] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.601267] kthread+0x337/0x6f0 [ 11.601464] ret_from_fork+0x116/0x1d0 [ 11.601864] ret_from_fork_asm+0x1a/0x30 [ 11.602057] [ 11.602154] Freed by task 213: [ 11.602390] kasan_save_stack+0x45/0x70 [ 11.602671] kasan_save_track+0x18/0x40 [ 11.602884] kasan_save_free_info+0x3f/0x60 [ 11.603074] __kasan_slab_free+0x56/0x70 [ 11.603275] kfree+0x222/0x3f0 [ 11.603430] ksize_uaf+0x12c/0x6c0 [ 11.603840] kunit_try_run_case+0x1a5/0x480 [ 11.604174] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.604429] kthread+0x337/0x6f0 [ 11.604706] ret_from_fork+0x116/0x1d0 [ 11.604894] ret_from_fork_asm+0x1a/0x30 [ 11.605076] [ 11.605148] The buggy address belongs to the object at ffff8881026a8b00 [ 11.605148] which belongs to the cache kmalloc-128 of size 128 [ 11.605491] The buggy address is located 0 bytes inside of [ 11.605491] freed 128-byte region [ffff8881026a8b00, ffff8881026a8b80) [ 11.606011] [ 11.606130] The buggy address belongs to the physical page: [ 11.606474] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a8 [ 11.606812] flags: 0x200000000000000(node=0|zone=2) [ 11.606976] page_type: f5(slab) [ 11.607098] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.607670] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.608043] page dumped because: kasan: bad access detected [ 11.608433] [ 11.609509] Memory state around the buggy address: [ 11.609750] ffff8881026a8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.609964] ffff8881026a8a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.610175] >ffff8881026a8b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.610400] ^ [ 11.610570] ffff8881026a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.610897] ffff8881026a8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.611248] ================================================================== [ 11.634021] ================================================================== [ 11.634386] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 11.634772] Read of size 1 at addr ffff8881026a8b78 by task kunit_try_catch/213 [ 11.635035] [ 11.635122] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250513 #1 PREEMPT(voluntary) [ 11.635167] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.635179] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.635199] Call Trace: [ 11.635224] <TASK> [ 11.635239] dump_stack_lvl+0x73/0xb0 [ 11.635266] print_report+0xd1/0x650 [ 11.635299] ? __virt_addr_valid+0x1db/0x2d0 [ 11.635321] ? ksize_uaf+0x5e4/0x6c0 [ 11.635341] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.635363] ? ksize_uaf+0x5e4/0x6c0 [ 11.635385] kasan_report+0x141/0x180 [ 11.635407] ? ksize_uaf+0x5e4/0x6c0 [ 11.635433] __asan_report_load1_noabort+0x18/0x20 [ 11.635453] ksize_uaf+0x5e4/0x6c0 [ 11.635474] ? __pfx_ksize_uaf+0x10/0x10 [ 11.635496] ? __schedule+0x10cc/0x2b60 [ 11.635518] ? __pfx_read_tsc+0x10/0x10 [ 11.635589] ? ktime_get_ts64+0x86/0x230 [ 11.635627] kunit_try_run_case+0x1a5/0x480 [ 11.635653] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.635684] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.635708] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.635729] ? __kthread_parkme+0x82/0x180 [ 11.635760] ? preempt_count_sub+0x50/0x80 [ 11.635784] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.635807] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.635829] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.635853] kthread+0x337/0x6f0 [ 11.635872] ? trace_preempt_on+0x20/0xc0 [ 11.635895] ? __pfx_kthread+0x10/0x10 [ 11.635916] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.635936] ? calculate_sigpending+0x7b/0xa0 [ 11.635960] ? __pfx_kthread+0x10/0x10 [ 11.635981] ret_from_fork+0x116/0x1d0 [ 11.635999] ? __pfx_kthread+0x10/0x10 [ 11.636020] ret_from_fork_asm+0x1a/0x30 [ 11.636052] </TASK> [ 11.636062] [ 11.643820] Allocated by task 213: [ 11.644002] kasan_save_stack+0x45/0x70 [ 11.644378] kasan_save_track+0x18/0x40 [ 11.644674] kasan_save_alloc_info+0x3b/0x50 [ 11.644897] __kasan_kmalloc+0xb7/0xc0 [ 11.645082] __kmalloc_cache_noprof+0x189/0x420 [ 11.645386] ksize_uaf+0xaa/0x6c0 [ 11.645638] kunit_try_run_case+0x1a5/0x480 [ 11.645834] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.646074] kthread+0x337/0x6f0 [ 11.646195] ret_from_fork+0x116/0x1d0 [ 11.646395] ret_from_fork_asm+0x1a/0x30 [ 11.646604] [ 11.646708] Freed by task 213: [ 11.646904] kasan_save_stack+0x45/0x70 [ 11.647085] kasan_save_track+0x18/0x40 [ 11.647220] kasan_save_free_info+0x3f/0x60 [ 11.647361] __kasan_slab_free+0x56/0x70 [ 11.647498] kfree+0x222/0x3f0 [ 11.647622] ksize_uaf+0x12c/0x6c0 [ 11.647798] kunit_try_run_case+0x1a5/0x480 [ 11.648067] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.648505] kthread+0x337/0x6f0 [ 11.648936] ret_from_fork+0x116/0x1d0 [ 11.649139] ret_from_fork_asm+0x1a/0x30 [ 11.649316] [ 11.649389] The buggy address belongs to the object at ffff8881026a8b00 [ 11.649389] which belongs to the cache kmalloc-128 of size 128 [ 11.650048] The buggy address is located 120 bytes inside of [ 11.650048] freed 128-byte region [ffff8881026a8b00, ffff8881026a8b80) [ 11.650839] [ 11.650971] The buggy address belongs to the physical page: [ 11.651233] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a8 [ 11.651554] flags: 0x200000000000000(node=0|zone=2) [ 11.651732] page_type: f5(slab) [ 11.651989] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.652425] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.652841] page dumped because: kasan: bad access detected [ 11.653048] [ 11.653144] Memory state around the buggy address: [ 11.653727] ffff8881026a8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.654041] ffff8881026a8a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.654390] >ffff8881026a8b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.654795] ^ [ 11.655090] ffff8881026a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.655405] ffff8881026a8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.655677] ==================================================================